To protect your MongoDB cluster and the data it holds, you will want to employ the following security measures:
Enable authorization and enforce authentication
This chapter demonstrates how to address the first two security measures with a tutorial on using MongoDB’s support for x.509 to configure authentication and transport layer encryption to ensure secure communications among clients and servers in a MongoDB replica set. We will touch on encrypting data at the storage layer in a later chapter.
While authentication and authorization are closely connected, it is important to note that authentication is distinct from authorization. The purpose of authentication is to verify the identity of a user, whilst authorization determines the verified user’s access to resources and operations.
Enabling authorization on a MongoDB cluster enforces authentication and ensures users can only perform actions they are authorized for, as determined by their roles. The Community version of MongoDB provides support for SCRAM (Salted Challenge Response Authentication Mechanism) and x.509 certificate authentication. In addition to SCRAM and x.509, MongoDB Enterprise supports Kerberos authentication and LDAP proxy authentication. See the documentation for details on the various authentication mechanisms that MongoDB supports. In this chapter, we will focus on ...